As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- David Spreadborough at Amped
Closed-Box CCTV Acquisition Using Network Access - Cado Security
- Cyber Triage
Inbound Logon Artifact Deep Dive Series - Data Forensics
- Eric Capuano
VMware Memory Analysis with MemProcFS - Forensafe
Workspaces in ArtiFast - Joshua Hickman at ‘The Binary Hick’
iOS 15 Image Now Available. Finally. - Mailxaminer
Is Message-ID Helpful for Forensic Email Analysis? - Amber Schroader at Paraben Corporation
Different Android Flavors and Forensic Processing - Chad Tilbury at SANS
Finding Evil WMI Event Consumers with Disk Forensics - Dave Melvin at Sumuri
Open Source Tools & Mac Forensics - John Scott-Railton, Bill Marczak, Bahr Abdul Razzak, Nicola Lawford, and Ron Deibert at The Citizen Lab
Confirmation & Research Note 1: Pegasus infections in Armenian Civil Society - The DFIR Report
IcedID Macro Ends in Nokoyawa Ransomware
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
DeXRAY, DFIR, and the art of ambulance chasing… - Adam Goss
Python Threat Hunting Tools: Part 4 — Browser Automation - Allen West at Akamai
The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile - Anomali
Anomali Cyber Watch: CloudWizard Targets Both Sides in Ukraine, Camaro Dragon Trojanized TP-Link Firmware, RA Group Ransomware Copied Babuk - Any.Run
ChatGPT for SOC and Malware Analysis professionals: 3 Real-World Use Cases - Francis Guibernau, Andrew Costis, and Giovanni López at AttackIQ
Response to CISA Advisory (AA23-144A): China State-Sponsored Actor Volt Typhoon Living off the Land to Evade Detection - Jeremy Fuchs at Avanan
The Magic Link Attack - Avertium
The Money Message Group – A New Ransomware Threat - Bitdefender
Bitdefender Threat Debrief - Lawrence Abrams at BleepingComputer
QBot malware abuses Windows WordPad EXE to infect devices - Brad Duncan at Malware Traffic Analysis
- Brendan Chamberlain at InfosecB
- BushidoToken
Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz - CERT Ukraine
Шпигунська активність UAC-0063 у відношенні України, Казахстану, Киргизстану, Монголії, Ізраїлю, Ірану, Індії (CERT-UA#6549) - CERT-AGID
- Check Point Research
- CISA
- Cisco’s Talos
- Schyler Gallant, Alex Geoghagan, and Cobi Aloia at Cofense
Top Malware Trends of April - Csaba Fitzl at ‘Theevilbit’
Beyond the good ol’ LaunchAgents – 31 – BSM audit framework - CyberCX
Cyber Adviser Newsletter – May 2023 - Cyble
- Cyborg Security
- Cyfirma
Weekly Intelligence Report – 26 May 2023 - Cyjax
Threat actors targeting Israel and India - DomainTools
The Most Prolific Ransomware Families: 2023 Edition - Dragos
The 2022 ICS/OT Vulnerability Briefing Recap - Elliptic
Chinese Businesses Fueling the Fentanyl Epidemic Receive Tens of Millions in Crypto Payments - Esentire
- Fortinet
- Nick Sundvall at Infoblox
Infoblox Researchers Uncover Malicious Domains Hosting Cryptocurrency Scams - Alison Rusk at INKY
Fresh Phish: ChatGPT Impersonation Fuels a Clever Phishing Scam - Jouni Mikkola at “Threat hunting with hints of incident response”
Turla - Ryan at Jumpsec Labs
Hunting for ‘Snake’ - Andrew Shelton at K7 Labs
Akira Ransomware Unleashing Chaos using Conti Leaks - David Carmiel at KELA
An Executive’s Guide To The Cybercrime Underground - Dex at Lab52
Quarterly Threat Report Q1 2023 - LockBoxx
Red Team Story Time! - Logpoint
- Malwarebytes Labs
- Mandiant
- Michael Koczwara
APT 29 Initial Access Killchain -MITRE ATT@CK Mapping - Microsoft
Volt Typhoon targets US critical infrastructure with living-off-the-land techniques - Microsoft’s ‘Security, Compliance, and Identity’ Blog
- Mark E. Haase and Tiffany Bergeron at MITRE-Engenuity
ATT&CK Sync: A Tool for Keeping Current with MITRE ATT&CK® - Monty Security
Hunting Lazarus Group’s TTPs - Palo Alto Networks
- Phylum
- Proofpoint
Account Compromise, Financial Theft, and Supply Chain Attacks: Analyzing the Small and Medium Business APT Phishing Landscape in 2023 - Red Canary
Intelligence Insights: May 2023 - Robin Dimyan
CTI Playbooks: Cyber crime intelligence - S2W Lab
Detailed Analysis of CloudDon, Cloud Data Breach of Korea e-commerce company - SANS Internet Storm Center
- Another Malicious HTA File Analysis – Part 3, (Sun, May 21st)
- Probes for recent ABUS Security Camera Vulnerability: Attackers keep an eye on everything., (Mon, May 22nd)
- Help us figure this out: Scans for Apache “Nifi”, (Tue, May 23rd)
- More Data Enrichment for Cowrie Logs, (Wed, May 24th)
- IR Case/Alert Management, (Wed, May 24th)
- Using DFIR Techniques To Recover From Infrastructure Outages, (Fri, May 26th)
- DocuSign-themed email leads to script-based infection, (Sat, May 27th)
- Giampaolo Dedola at Securelist
Meet the GoldenJackal APT group. Don’t expect any howls - Secureworks
Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations - Adrià Alavedra at Security Art Work
Monstruos de río: Phishing - Security Investigation
- Sekoia
Bluenoroff’s RustBucket campaign - SentinelOne
- SOCRadar
ChatGPT for CTI Professionals - Rianna MacLeod at Sucuri
What Is a Keylogger? - Symantec Enterprise
Buhti: New Ransomware Operation Relies on Repurposed Payloads - Nigel Douglas at Sysdig
Day 2 Falco Container Security – Tuning the Rules - Stefan P. Bargan at System Weakness
APT Groups — Vietnam — Part II - Team Cymru
What to learn more about NetFlow? Here’s a useful analogy to get you started - Trend Micro
- BlackCat Ransomware Deploys New Signed Kernel Driver
- Future Exploitation Vector: File Extensions as Top-Level Domains
- Info Stealer Abusing Codespaces Puts Discord Users at Risk
- Against the Clock: Cyber Incident Response Plan
- Abusing Web Services Using Automated CAPTCHA-Breaking Services and Residential Proxies
- New Info Stealer Bandit Stealer Targets Browsers, Wallets
- Trustwave SpiderLabs
- VMRay
Bumblebee: A year in the hive - Kleiton Kurti at White Knight Labs
Unleashing the Unseen: Harnessing the Power of Cobalt Strike Profiles for EDR Evasion - Zach Stanford
A Tale of Greatness - Zscaler ThreatLabz
Ransomware Notes
UPCOMING EVENTS
- Swachchhanda Shrawan Poudel at Logpoint
Webinar: Vice Society’s Double Extortion – Demanding Ransom and Threatening Data Leaks - Carlos Canto at Rapid7
VeloCON 2023: Submissions Wanted! - SANS
PRESENTATIONS/PODCASTS
- Belkasoft
iOS Brute-Force: Now Free! - Black Hills Information Security
- Breaking Badness
155. Sunburst Your Bubble - Cellebrite
- Digital Forensics Tools: How to view the status of a data extraction in Physical Analyzer ULTRA?
- Mobile Device Forensics: Do I need to reacquire a device when a new version of UFED is released?
- Mobile Device Forensics: How to troubleshoot the device connection with Cellebrite UFED
- Mobile Device Forensics: New features in UFED that assist to connect a mobile device
- Episode 7: The Collaboration Podcast: IACIS x Cellebrite – Forensic Insights from the Frontlines
- A Detective’s “Need to Know More” Drives Digital Transformation for Monroe CT Police Department
- Detections by SpectreOps
- Digital Forensic Survival Podcast
DFSP # 379 – New Process Creation - Forensic Focus
Programming Languages, Flipper And Gaming - InfoSec_Bret
IR – SOC180-130 – BianLian Ransomware Detected - John Hubbard at ‘The Blueprint podcast’
Strategy 3: Build a SOC Structure to Match Your Organizational Needs - Jon DiMaggio at Analyst1
On-Demand Webinar: The Lord Has Fallen - Karsten Hahn at Malware Analysis For Hedgehogs
Malware Analysis – Auto Start Monitoring and Disinfection with Autoruns - Magnet Forensics
How to Delete an Evidence Source in Magnet REVIEW - MSAB
- OALabs
Understanding The PEB for Reverse Engineers - Richard Davis at 13Cubed
A File’s Life – File Deletion and Recovery - SANS
- The Cyber Social Hub
Unique Exploits and Solutions in XRY & XRY Pro - The Defender’s Advantage Podcast
Threat Trends: UNC961 and How Managed Defense Approaches Threat Hunting - Velocidex Enterprises
MALWARE
- 0day in {REA_TEAM}
[Case study] Decrypt strings using Dumpulator - ASEC
- Distribution of Remcos RAT Exploiting sqlps.exe Utility of MS-SQL Servers
- Kimsuky Group Using Meterpreter to Attack Web Servers
- Kimsuky Group’s Phishing Attacks Targetting North Korea-Related Personnel
- StrelaStealer Being Distributed To Spanish Users
- Lazarus Group Targeting Windows IIS Web Servers
- DarkCloud Infostealer Being Distributed via Spam Emails
- ASEC Weekly Phishing Email Threat Trends (May 7th, 2023 – May 13th, 2023)
- CVE Trend Report – March 2023 Vulnerability Statistics and Major Issues
- March 2023 Threat Trend Report on Kimsuky Group
- Threat Trend Report on Ransomware – March 2023
- March 2023 Deep Web & Dark Web Threat Trend Report
- ASEC Weekly Malware Statistics (May 15th, 2023 – May 21st, 2023)
- Analysis of Attack Cases: From Korean VPN Installations to MeshAgent Infections
- c3rb3ru5d3d53c
[65] Malware Lab – Reverse Engineering String Decryption Algorithms with Ghidra - Erik Pistelli at Cerbero
Obfuscated Batch Scripts in OneNote Document - ClearSky Cyber Security
Fata Morgana: Watering hole attack on shipping and logistics websites - Cluster25
Back in Black: BlackByte Ransomware returns with its New Technology (NT) version - Bret at Cyber Gladius
Deobfuscate PowerShell From Real-World Incident - dr4k0nia
NixImports a .NET loader using HInvoke - Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #142: Mapping local types - Igal lytzki at Toxin Labs
Kraken – The Deep Sea Lurker Part 2 - InfoSec Write-ups
- Lab52
GuLoader as the Gatekeeper of AgentTesla: A Comprehensive Analysis - Jakub Kaloč at WeLiveSecurity
Shedding light on AceCryptor and its operation - Zhassulan Zhussupov
- Nikolaos Pantazopoulos and Brett Stone-Gross at ZScaler
Technical Analysis of Pikabot
MISCELLANEOUS
- Belkasoft
Sneak peek of Belkasoft X v.2.0 - Brian Maloney
The curious case of ♪ and ◙ - Joshua Thompson-Lindley at Cado Security
How we Sped up Acquiring Forensic Data From Managed Kubernetes Services by 97% by Rebuilding the SDK - Monica Harris at Cellebrite
The Risks of Losing Data: Why Legal Hold for Text and Chat Data is Crucial - Dr. Ali Hadi at ‘Binary Zone’
Memory Forensics – RansomCare Investigation Case 1 - Forensic Focus
Digital Forensics Round-Up, May 25 2023 - Ken Pryor at No Pryor Knowledge
Accomplishments and Goals - Revo4n6
Managing Evidence and Investigations with Cellebrite Guardian - SANS
Cybersecurity Jobs: Technical Director (Japanese)
SOFTWARE UPDATES
- Acelab
The New PC-3000 Flash Software Ver. 8.1.x has been released - Brim
v1.1.0 - Doug Burks at Security Onion
Security Onion 2.3.250 now available including Elastic 8.7.1, Grafana 9.2.17, Suricata 6.0.12, Zeek 5.0.9, FleetDM 4.31.1, and more! - Drew Alleman
DataSurgeon 1.1.4 - Eric Zimmerman
ChangeLog - Federico Lagrasta
PersistenceSniper v1.12.0 - Alexis Brignoni
iLEAPP v1.18.7 - Manabu Niseki
Mihari v5.2.3 - Martin Willing
MemProcFS-Analyzer-v0.9 - Metaspike
Remote Authenticator for Mac 2.0.1 Release Notes - Passmark Software
OSForensics V10.0 Build 1013 26th May 2023 - Martin Korman
Regipy 3.1.6 - SpecterOps
FOSS BloodHound 4.3.1 release - Google
timesketch 20230526 - Velociraptor
Release 0.6.9 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 